Nearly two years after it launched a bug bounty program, Yahoo says it has awarded researchers who reported security vulnerabilities a total of more than $1 million.
According to Ramses Martinez, senior director and interim CISO at Yahoo, the company has received 10,000 submissions from 1,800 researchers since the launch of the vulnerability rewards program. A total of 600 researchers reported valid security flaws, 1,500 of which have resulted in a bounty payout.
The monthly validity rate of vulnerability reports is currently 15 percent, which represents a 5 percent increase compared to the end of 2014. Martinez noted that 87 percent of reporters have submitted less than 10 bugs, and half of all submissions are from the top 6 percent of contributors.
“A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid,” Martinez said in a blog post.
“The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program,” he added.
Before October 2013, researchers who reported vulnerabilities to Yahoo were awarded a $12.50 voucher. After numerous complaints, Yahoo launched a proper bug bounty program via HackerOne and promised contributors between $50 and $15,000 based on the severity of the bugs.
In October 2014, Yahoo reported paying out over $700,000 to researchers through its bug bounty program and now the total amount has increased to more than $1 million.
In comparison, Facebook said in February that it had paid out a total of $3 million since the launch of its vulnerability rewards program four years ago. The social media giant awarded researchers $1.3 million in 2014 alone.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
